OSS Rebuild: Rebuilding Trust in Open Source Package Ecosystems
Google's new OSS Rebuild project aims to strengthen trust in open-source package ecosystems by reproducing upstream artifacts. Responding to the rise of supply chain attacks, OSS Rebuild automates the creation of declarative build definitions for PyPI, npm, and Crates.io, providing SLSA provenance meeting SLSA Build Level 3 requirements without publisher intervention. It offers build observability and verification tools, along with infrastructure definitions for organizations to run their own instances. By rebuilding, generating, signing, and distributing provenance, OSS Rebuild helps detect various supply chain compromises like unsubmitted source code, compromised build environments, and stealthy backdoors, enhancing package trust and accelerating vulnerability response.